Talk:Wikimedia Foundation Audit Committee/Archive 1

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search


Control on non-WMF finances

I have to note that as usual the charter contains an impossible statement: «Establishes policies and procedures that ensure full transparency into the use of all donor funds raised under the Wikimedia name or on its sites, including those raised by the Foundation, the Chapters and other affiliated organization». The WMF audit committee, being a WMF committee, cannot oversee the spending of other organizations. So this impossible statement actually means that the committee will oversee the FDC criteria so that the financing of other organizations by the WMF follows strict requirements on transparency including the requests for reports etc. etc. --Nemo 09:56, 12 November 2012 (UTC)[]

In one way, you are of course correct. Movement entities are independent and the Foundation (or its Audit Committee) does not have oversight over them. They can act as they please. The issue arises when those entities wish to use our movement's name, or wish to have have access to funds raised in the name of our movement. The Foundation has been entrusted with the protection of the name Wikipedia and some of the related trademarks. As a result, the Foundation has a duty to protect those trademarks. The Foundation and the Audit Committee have established a set of criteria (including transparency) around the use of movement trademarks and funds in an effort to ensure donor funds are used in a manner consistent with our movement's mission and commitments to donors. Any entity that wishes access to movement donor funds (either as a payment processor, an FDC recipient, or a grant recipient) has to meet those criteria as well as the review conducted by the FDC.Stu (talk) 15:27, 12 November 2012 (UTC)[]
As usual, I disagree that "protecting the trademarks" gives you the right to do that – as by the way reading the trademark agreement will confirm (as such clauses have already been soundly rejected, not to mention that they are the reason why chapters like WMIT didn't sign the Grants agreement and similar subjection declarations) –.
Trademarks exist to protect the Wikimedia projects (as Mike Godwin has many times explained us), not the other way round. As for chapters, the legitimate use of the trademarks is controlled by wikimedians directly through democratic assemblies following the standards for transparency, democracy and good governance set by the bylaws written according to laws and charity registers requirements with the approval of the WMF. The control that the WMF exercises over chapters and entities, through AffCom, happens (or should happen) at another level. --Nemo 19:22, 12 November 2012 (UTC)[]
I wish that were the case, but it isn't. The WMF owns and controls the trademarks. --Tango (talk) 20:39, 12 November 2012 (UTC)[]
This doesn't mean that it owns and controls all the entities it has a trademark agreement with. I'm not aware of Orange being owned and controlled by the WMF, for instance. --Nemo 16:33, 13 November 2012 (UTC)[]
You are right that the main control the WMF exercises in support of the movement is over recognition of chapters and other entities that are invited to enter into broad trademark agreements. Every central movement entity should have its own audit committee which is responsible directly for effective and transparent use of resources. A proposal: try replacing the word "ensure" with the word "guide" in the charter, where the guidance is given to the FDC as well as directly to other entities. Would that address your concern.
We do need global guidelines and principles for all groups; ideally agreed to by all current entities, however they are initially drafted. I'd like to see members from other audit committees comment here about whether they have any issues with the current policies drafted (with public input) by the WMF Audit Com.
The problem with only exercising influence through AffCom is that there is little room for subtlety there; AffCom only knows how to say "recognize" vs. "don't recognize" and is only recently starting to review the activity of recognized entities. It will take time for that body to develop more nuanced recommendations. SJ talk  18:23, 13 November 2012 (UTC)[]
Not really, I don't see how it can "guide" anyone when it's unilateral. As for AffCom, I disagree completely: for what I remember, the ChapCom has done a lot to help chapters grow and improve, including of course addressing the issues of transparency (but this might be just a feeling?). You also ask if there's disagreement about "guidelines and principles" coming from the Audit Committee. Well, I don't remember any, is there a list? The only thing I remember is the promotion of bureaucracy and control. Could you elaborate on the concept that the Audit Committee has proved more adequate than e.g. the AffCom to provide useful guidance as opposed to black and white "in or out"? Thanks, Nemo 20:35, 13 November 2012 (UTC)[]
AffCom has become better in the past year at saying to chapters "you have a problem with X and need to address it" - for instance with Wikimedia Taiwan. AuditCom has also suggested guidelines and best practices. They complement one another. SJ talk  18:39, 14 March 2013 (UTC)[]
There is a critical point. The use of the name of Wikimedia is assigned by the local law as soon the association is legally recognized by the local government. The use of the logo is stated by the agreement with WMF. It means that the association Wikimedia XX may exist without WMF's Wikimedia logo. The creation of a new association Wikimedia XX probably may not be possible in some local legal systems because it would be subsequent. So I agree with you if you change with "all donor funds raised under the Wikimedia logos or on its sites". The logos belong to WMF, the names to the chapters because the name is defined in a legal document and this legal document is the bylaws and this bylaws has been registered by the local governments. --Ilario (talk) 19:53, 12 November 2012 (UTC)[]
I don't think you can invalidate someone else's trademark just by using it as the name of your company... Both the word and the logo are WMF trademarks. --Tango (talk) 20:39, 12 November 2012 (UTC)[]
To control a global brand or trademark, you need to have a process for reviewing and approving uses of the mark -- including all organizations that operate under the mark, doing the same sort of work, or fundraising for the same sort of work. We can argue over what entity is the right one to oversee the trademarks, and what the right process for approving use of the marks is. But if we want our marks to be protected under international law, and if we want to be able to prevent "inappropriate" uses of a trademark, such a process has to be documented and followed. SJ talk  18:39, 14 March 2013 (UTC)[]


Risk assessment

The annual plan contains a section on risks - a staff assessment of risks to the projects and to the WMF. We recently discussed splitting this out into its own document. (Plan development may also become more regular, quarterly rather than annual.) Suggestions for topics missing from that risk document are also welcome. SJ talk  20:23, 3 November 2014 (UTC)[]

Reviewing the 2014-2015 Annual Plan more carefully than I have before joining the committee, here are some thoughts. Internal control is defined in our encyclopedia as the "process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies" so this plan is really fundamental for good internal control.

  • Looks like the plan is reasonably although not perfectly SMART (Specific, Measurable, Assignable, Realistic, Time-related) so that's good; looks like we're in Q2 of the plan. In the long-run a retrospective assessment and maybe a real-time dashboard showing completion of goals could be helpful but it sounds like there's some thought about updating this quarterly and I imagine progress is carefully reviewed in board meetings.
  • As we mentioned on the call, the top risk that comes to mind is the community risk, and that is listed as the first risk which is appropriate. I do think that there is room for improvement in addressing this risk. For example, research by Aaron Halfaker (User:EpochFail) reveals that some vandal-fighters are much less inviting of newcomers than others, but I asked him the other day about reaching out and mentoring these people specifically and he said it hadn't been tried; I'm not sure we even have a list of high-volume vandal fighters. The Growth team has also dissolved and so it's not clear who is running point on this type of area exactly and when something is everyone's problem, it is nobody's problem. In terms of features, there's been a communication gap between editors and the foundation developers and while everyone knows that, as a community member I'm worried that more liaisons and the IdeaLab won't effectively bridge that gap. Phabricator is not exactly user-friendly either. I would recommend Uservoice or perhaps Getsatisfaction for collecting (and allowing editors to vote on) feature ideas rather than something homegrown right now.
  • Moving on to areas which are more specifically the domain of the audit committee, first note that in page 3 of KPMG's audit results presentation notes that, as part of the Foundation's representation to the auditor, the Audit Committee is responsible for "Oversight of the financial reporting process and oversight of ICFR" [internal control over financial reporting] and "Oversight of the establishment and maintenance of programs and internal controls designed to prevent and detect fraud":
    • Starts w/ culture and tone from the top which seems to be OK. Another important key is segregation of duties which means not allowing single employees to get too much ownership over certain processes (especially overlapping processes) and a second or third pair of eyes on a process. Key accounting employees are also usually encouraged to take a vacation.
    • In most of the accounting systems I've been involved with checks were at the core of the payments, which have some documentation and verification built-in. With Wikimedia there may be a lot more credit/debit card/paypal usage which might have some different risks.
    • IT involves unique risks. The general internal control framework is COSO (I have electronic copies of the documents), but for IT there are others. See Wikipedia articles for Control Objectives for Information and Related Technology (COBIT), Risk IT, and Corporate governance of information technology. I'm not familiar with these but I imagine they deal with server infrastructure, potential for data loss, etc.
    • Auditors typically place more emphasis on nonroutine transactions, especially those involving estimation. I don't know that we have any of those but if we do, we should be aware of them.

Auditors assess the "inherent risk" of an organization and use that in determining how many transactions to sample. I'd say Wikimedia clearly has low inherent risk but it's still worth it for the committee to do some extra due diligence and understand the processes inside the accounting office. At the same time, there are bigger priorities right now (especially for me) so it's something that could be tackled long-term. Ben Creasy (talk) 15:56, 8 December 2014 (UTC)[]


2015-2016 elections

Hi, guys! As I noticed before, every April there was a call for volunteers to the Audit Committee, but this April (in 2015) there was not such an event. Did something change in the schedule? rubin16 (talk) 20:31, 20 June 2015 (UTC)[]

Hi Rubin,
there is not really an election for the committee, but the there has been a call for volunteers, see --Isderion (talk) 21:11, 30 June 2015 (UTC)[]
It has been sent to wikimedia-l as well. Alice Wiegand (talk) 21:18, 30 June 2015 (UTC)[]